CN101068242A - Method for obtaining internal and external network address mapping relation in safety auditing system - Google Patents
Method for obtaining internal and external network address mapping relation in safety auditing system Download PDFInfo
- Publication number
- CN101068242A CN101068242A CNA2007100523377A CN200710052337A CN101068242A CN 101068242 A CN101068242 A CN 101068242A CN A2007100523377 A CNA2007100523377 A CN A2007100523377A CN 200710052337 A CN200710052337 A CN 200710052337A CN 101068242 A CN101068242 A CN 101068242A
- Authority
- CN
- China
- Prior art keywords
- data bag
- analogue data
- port
- address
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A method for obtaining a mapping relation of internal-external network address in safety audit system includes obtaining a mapping relation of internal-external network address by sending an analog data packet from simulation user at NAT internal network side and intercepting analog data packet being NAT-converted by NAT external network side, setting a source MAC address not existed in internal network in analog data packet and setting TTI field of analog user data packet IP head to be a proper value for ensuring transmission of normal data packet.
Description
Technical field
The invention belongs to computer, network security, auditing system field, be specifically related to obtain in a kind of safety auditing system the method for internal and external network address mapping relation.
Background technology
In recent years, along with popularizing of the Internet, more and more enterprises is all carried out the business of oneself on network, exchange, understand up-to-date information each other by network, and the ability and the capacity of business processes information have all strengthened greatly.The Internet is too many simply to the benefit that enterprise brings.
But along with the Internet becomes a kind of instrument of enterprise staff work gradually, most of employee's computer all inserts the Internet, and a large amount of internet usages in the work have exposed many use for network and lacked the problems that management brings.These problems mainly show following several aspects: by the Internet confidential information of enterprise is leaked, the work hours irrelevant information of browsing and work, bring legal dispute to enterprise, the abuse of the network bandwidth has hindered the regular traffic use, and the abuse of the Internet brings potential safety hazard.Bring this problem of legal dispute very quite serious to enterprise, because the opening of the Internet is flooded with many pornographics habitually in the past, bad websites such as illegal speech, gambling, violence, these websites can have access to very easily; Regulation according to national relevant law, issue obscene information on the internet and be illegal activities with speeches such as reaching supertition, reaction, division, the Internet of some enterprise staffs abuse company has carried out above-mentioned behavior, will be dragged into enterprise in the middle of the legal dispute complicated, that be difficult to get away.
The network access mode of present safety auditing system reality generally all is to take at exit employing TAP shunting mode (as Fig. 1), or does Port Mirroring (as Fig. 2) at the core switch in exit; This mode can allow safety auditing system intercept packet between all users and the internet, then the system's various keyword rules set of utilization content of coming the matched data bag again itself.But the purpose IP/Port of the source IP/Port that is limited in the upstream data bag that is intercepted of this mode and downlink data is a subscriber set itself, and the IP/Port that can not reflect subscriber set is changing the pairing public network IP/Port in back through NAT, and not all criminal activity all has some keywords clearly, so can not fully illegal activity be noted, be state security organization or some public network server keeper IP/Port tracking under a lot of situations, determine which user does some illegal activity.If determining this IP/Port be the public network address of certain enterprises and institutions really, but present safety auditing system is at a complete loss as to what to do to this situation, because it can not know this IP/Port is which platform machine is employed in the internal network in certain time period correspondence.This brings very big difficulty for the state security organization detection work, has also brought unnecessary legal issue to enterprise.
Also only just see current NAT mapping relations also not having a kind of ways of addressing this issue at present by logging on to inquire about in the router.
Goal of the invention
The objective of the invention is to solve the weak point that exists in the existing safety auditing system, propose to obtain in a kind of safety auditing system the method for internal and external network address mapping relation, comprise the discovery of mapping relations and the maintaining method of mapping table, and avoid detected network and internet are produced dysgenic method, further improve the function of safety auditing system, for the security audit of state security organization and enterprises and institutions provides better guarantee, and do not need to increase very high hardware and software cost, the upgrading of convenient existing safety auditing system.
Technical scheme
Technical scheme of the present invention is: obtain the method for internal and external network address mapping relation in a kind of safety auditing system, comprise the discovery of mapping relations and the maintaining method of mapping table, avoid detected network and internet are produced dysgenic method, it is characterized in that:
Auditing system initiatively sends the mapping relations that message is surveyed the NAT two ends, comprise the triggering that mapping relations are surveyed, the structure of analogue data bag, the intercepting and capturing and the analysis of the transmission of analogue data bag and the analogue data bag after the NAT conversion, and the analogue data bag of control transmission does not influence the operate as normal of monitored network and internet;
System maintenance is with source IP, and source Port, destination address are the mapping relations table of index, and detection system at any time, during project that do not have or expired, initiatively initiates to survey mapping relations in finding mapping table; Get access to after the mapping relations, use the mapping relations that detect to upgrade the mapping relations table;
Source IP, purpose IP in the analogue data bag IP header and the actual transmission of user source data packet, purpose IP are identical;
Source Port, purpose Port in analogue data bag TCP or the UDP head and the actual transmission of user source data packet, purpose Port are identical;
The source MAC of analogue data bag Ethernet layer is an already present MAC Address in the non-internal network, to guarantee to send the harmful effect that can not cause the ARP address table of switch in the network behind the analogue data bag;
The number that TLL field in the analogue data bag IP header is set to router between the intercepting and capturing physical access point that safety auditing system sends the physical access point of analogue data bag and analogue data bag adds 1 again, enter internet first hop router and promptly be dropped to guarantee that analogue data wraps in, can not cause harmful effect the internet.
Obtain the method for internal and external network address mapping relation in the aforesaid safety auditing system, it is characterized in that: carry the actual transmission of user packet IP address and Port in the analogue data bag application layer content, the transformat that IP address of carrying in the analogue data bag application layer and Port use is unrestricted.
Obtain the method for internal and external network address mapping relation in the aforesaid safety auditing system, it is characterized in that: carry the timestamp information that produces this analogue data bag in the analogue data bag application layer content, the transformat of the timestamp information that carries in the application layer is unrestricted.
Obtain the method for internal and external network address mapping relation in the aforesaid safety auditing system, it is characterized in that: when safety auditing system is intercepted and captured analogue data bag after the NAT conversion, use that " ttl field equals 1 " as the Packet Filtering condition.
Obtain the method for internal and external network address mapping relation in the aforesaid safety auditing system, it is characterized in that concrete steps are as follows:
1. safety auditing system is intercepted and captured all packets in the internal network, for uplink packet, by certain fixedly MAC Address Y the packet source MAC is filtered (Y is a non-existent MAC Address in a certain network), source MAC does not handle for the packet of Y changes step 2 over to; Otherwise the next packet of circular treatment;
2. with the source IP among the uplink packet X, purpose IP source Port and purpose Port as inquiring about the mapping relations table of a four-tuple in safety auditing system, whether has been there corresponding relation? as existing, this corresponding relation timer of resetting, do not enter following step, the next packet of circular treatment; As not existing, then proceed step 2;
3. an analogue data bag of system constructing A, bag A target MAC (Media Access Control) address is identical with the purpose MAC that wraps X, and source MAC is Y in the step 1; Bag A source IP, purpose IP, source Port, purpose Port and during X wraps corresponding field identical; Bag A application layer is source MAC, source IP, source Port and the current date and time information in the X bag; The number that ttl field in the bag A IP head is set to router between the intercepting and capturing physical access point that safety auditing system sends the physical access point of analogue data bag and analogue data bag adds 1 again;
4. safety auditing system uses suitable transmit mechanism the analogue data bag A that makes up in the step 2 to be sent to the switch of internal network;
5. safety auditing system uses suitably the packet Interception Mechanism at NAT external network side intercepted data bag, is 1 as the packet filtering condition with the ttl field value, obtains the packet B of packet A after through the NAT conversion;
6. safety auditing system is by resolution data bag B, obtain IP, Port and timestamp information before the NAT conversion in NAT conversion back IP, Port and the application layer, can obtain the timestamp information that public network IP, the mapping relations between the Port and this mapping relations after monitored network internal subscriber set MAC, IP, Port and NAT change produce, this mapping relations record is deposited in the relation mapping table, and to the suitable timer of this recording setting, and simultaneously this record is written in the static memory medium;
7. timer is deleted the relation record of timer correspondence mappings to after date in the mapping relations table, is expired state with this recording setting in the static memory medium simultaneously, and writes down expired timestamp information.
Principle of the present invention is:
1) at various NAT (Network Address Translation, Network address translators) in the technology, NAPT (Network Address Port Translation) is the most general a kind of of current use, it allows one group of main frame to share an IP address by the mode of using port mapping to be connected with Internet, to have solved present IPv4 address shortage problem well.According to the description among the RFC3489, NAPT is categorized as Full Cone, Restricted Cone, Port Restricted Cone, Symmetric.First three plants Full Cone, RestrictedCone, Port Restricted Cone belong to CONE NAT, and just so long as the bag that same home address and port come out, NAT is converted to it same external address and port.For Symmetric, so long as come out from same home address and port, and to same external object address and port, then NAT also converts it to same external address and port.If but come out from same home address and port, be that then NAT will use different mappings to another external object address and port, convert different external object address and port to;
2) IP head TTL (time-to-live) the life span field in the IP agreement is provided with maximum router numbers that datagram can be passed through.It has specified the life span of datagram.The initial value of TTL is by source host setting (being generally 32 or 64), in case through a router of handling it, its value just deducts 1.When the value of this field was 0, datagram just was dropped, and sent icmp packet notification source main frame;
3) the ARP address table of switch is to safeguard by the source MAC of resolving in the packet that each port receives, and comes the ARP address table is added, revises, deletes each operation according to the MAC Address that parsing obtains.
A, when switch is received a new MAC Address, add to it in ARP address table and indicate which corresponding concrete physical port;
B, when switch is received a MAC Address, by relatively finding to receive that the physical port of this packet is not pairing that physical port in the ARP address table, just upgrade this record in the ARP address table;
C, for the Dynamic ARP table, can regularly delete those expired ARP table records.
The present invention is applied in the safety auditing system.By sending an analogue data bag from NAT internal network side emulation user and intercepting and capturing analogue data bag after the address transition from NAT external network side and analyze and realize obtaining internal and external network address mapping relation.Source IP, purpose IP, source port number and the destination slogan by the analogue data bag is set and the packet of the actual transmission of user are consistent, and have guaranteed the correctness of the address mapping relation that gets access to; By in the application layer of analogue data bag, having timestamp information, and take timer mechanism, guaranteed in the safety auditing system consistency and the real-time of mapping relations in the internal and external network address mapping relation and NAT device; By non-existent source MAC in the internal network is set in the analogue data bag, assurance does not cause harmful effect to the ARP address table of the inner network switch, avoids influencing the transmission of internal network normal data packet; Ttl field by analogue data bag IP head is set to a suitable value, has guaranteed to be dropped when this analogue data wraps in arrival internet first hop router, can not impact the internet.
Beneficial effect
The invention has the beneficial effects as follows, solve the weak point that exists in the existing safety auditing system, propose to obtain in a kind of safety auditing system the method for internal and external network address mapping relation, comprise the discovery of mapping relations and the maintaining method of mapping table, avoid detected network and internet are produced dysgenic method, further improve the function of safety auditing system, for the security audit of state security organization and enterprises and institutions provides better guarantee.The method can not produce any bad influence to existing internal network and internet, and does not need to increase very high hardware and software cost, the upgrading of convenient existing safety auditing system.
Description of drawings
Fig. 1 is present safety auditing system network structure, and access way adopts the TAP mode.
Fig. 2 is present safety auditing system network structure, and access way adopts switch ports themselves mirror image mode.
Fig. 3 adopts the situation of TAP mode for using the safety auditing system network structure of the inventive method at network insertion.
Fig. 4 is the flow chart of the NAT internal network side data data processing of the embodiment of the invention.
Fig. 5 is the NAT external network side data process chart of the embodiment of the invention.
Fig. 6 is the timer expiry process chart of the embodiment of the invention.
Embodiment
Enforcement of the present invention: as shown in Figure 3, this network structure is at the safety auditing system of present employing TAP as network access mode.The bright for instance below whole process of obtaining address mapping relation:
1, safety auditing system is at first opened an enough big buffer area and is deposited and reflect relation table, source MAC, source IP, purpose IP, source Port and the purpose Port of subscriber set in the internal network will be deposited in every record in this table, and pass through IP and Port after the NAT mapping; Open Eth0 and Eth2 simultaneously, enter the promiscuous mode listening state;
2, intercept and capture the packet of subscriber set online by Eth0, by to upstream data bag source MAC address filtering, source MAC does not proceed step 3 for the packet of 00:00:00:00:00:01; Otherwise the next packet of circular treatment;
3, upstream data bag taking-up source MAC (0E:3F:45:65:3A:38), purpose MAC (0E:3F:45:65:3A:34), source IP (192.168.6.3), purpose IP (61.45.195.66), source Port (1028) and the purpose Port (80) wherein to receiving, use 192.168.6.3,61.45.195.66,1028 and 80 four-tuple in intrasystem mapping relations table, to inquire about, if Query Result represents that there is the mapping relations record in this, the timer of then resetting this mapping relations correspondence is skipped following steps and is continued to handle the next packet that receives; Otherwise source MAC, purpose MAC, source IP and source Port, purpose IP and purpose Port are sent in the independent message queue 1 as one group of data;
4, can use one independently thread be used to read message queue 1, and utilize these information architectures to go out a complete analogue data bag, source MAC can be set to 00:00:00:00:00:01 (network this MAC Address can not occur), purpose MAC is 0E:3F:45:65:3A:34, source IP is 192.168.6.3, purpose IP is 61.45.195.66, source Port be 1028 and purpose Port be 80, application layer data be " 0E:3F:45:65:3A:38 r n192.168.6.3:1028 r n61.45.195.66:80 r n2007-3-1516:56:45 r n r n ";
5, directly the packet that makes up in the step 3 is sent to switch from Eth1 by the raw socket mode;
6, system intercepts and captures all packets after the NAT conversion at Eth2, and by using " TTL equals 1 " to abandon the packet that does not meet this condition as filtercondition.For qualified packet, continue step 6.
7, read packet in the message queue 2, and successively resolve, obtain IP address 220.104.32.56 after the NAT conversion from network layer, transport layer obtains port numbers 20001, and from application layer, get access to source MAC 0E:3F:45:65:3A:38, source IP 192.168.6.3 and source Port 1028, purpose IP 61.45.195.66 and the purpose Port 80 and the timestamp information 2007-3-15 16:56:45 of internal machine, these information are added in the mapping relations table, and, these information are written in the database store simultaneously for it is provided with a timer
8, the timer that is provided with in the step 6 is to after date, with the record deletion of correspondence in the mapping relations table, and the expiration time of corresponding record in the database write the current time, and record mark is set to state out of date;
9, be when using when needing to follow the trail of certain IP:Port again in certain time period, only need can accurately find MAC, IP and the Port of certain internal user machine as the condition query database with IP, Port and time point by which user.
Though described the present invention by examples of implementation, those of ordinary skills know, the present invention has many distortion and variation and do not break away from spirit of the present invention, wish that appended claim comprises these distortion and variation and do not break away from spirit of the present invention.
Claims (4)
1. obtain the method for internal and external network address mapping relation in the safety auditing system, comprise the discovery of mapping relations and the maintaining method of mapping table, avoid detected network and internet are produced dysgenic method, it is characterized in that:
Auditing system initiatively sends the mapping relations that the NAT two ends are surveyed in the analogue data detective, comprise the triggering that mapping relations are surveyed, the structure of analogue data bag, the intercepting and capturing and the analysis of the transmission of analogue data bag and the analogue data bag after the NAT conversion, and the analogue data bag of control transmission does not influence the operate as normal of monitored network and internet;
System maintenance is with source IP, and source Port, purpose IP, purpose Port are the mapping relations table of index, and detection system at any time, during project that do not have or expired, initiatively initiates to survey mapping relations in finding mapping table; Get access to after the mapping relations, use the mapping relations that detect to upgrade the mapping relations table;
Source IP, purpose IP in the analogue data bag IP header is identical with the actual transmission of user source data packet IP, purpose IP;
Source Port, purpose Port in analogue data bag TCP or the UDP head and the actual transmission of user source data packet, purpose Port are identical;
The source MAC of analogue data bag Ethernet layer is an already present MAC Address in the non-internal network, to guarantee to send the harmful effect that can not cause the ARP address table of switch in the network behind the analogue data bag;
The number that TLL field in the analogue data bag IP header is set to router between the intercepting and capturing physical access point that safety auditing system sends the physical access point of analogue data bag and analogue data bag adds 1 again, enter internet first hop router and promptly be dropped to guarantee that analogue data wraps in, can not cause harmful effect the internet.
2, method according to claim 1 is characterized in that: carry the actual transmission of user packet IP address and Port in the analogue data bag application layer content, the transformat that IP address of carrying in the analogue data bag application layer and Port use is unrestricted.
3, method according to claim 1 and 2 is characterized in that: carry the timestamp information that produces this analogue data bag in the analogue data bag application layer content, the transformat of the timestamp information that carries in the application layer is unrestricted.
4, method according to claim 1 and 2 is characterized in that: when safety auditing system is intercepted and captured analogue data bag after the NAT conversion, use that " ttl field equals 1 " as the Packet Filtering condition.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100523377A CN101068242B (en) | 2007-05-31 | 2007-05-31 | Method for obtaining internal and external network address mapping relation in safety auditing system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007100523377A CN101068242B (en) | 2007-05-31 | 2007-05-31 | Method for obtaining internal and external network address mapping relation in safety auditing system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101068242A true CN101068242A (en) | 2007-11-07 |
| CN101068242B CN101068242B (en) | 2010-04-14 |
Family
ID=38880677
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007100523377A Expired - Fee Related CN101068242B (en) | 2007-05-31 | 2007-05-31 | Method for obtaining internal and external network address mapping relation in safety auditing system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101068242B (en) |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101453420B (en) * | 2008-12-30 | 2010-12-08 | 成都市华为赛门铁克科技有限公司 | Security protection method, equipment and system for data packet |
| CN101582771B (en) * | 2009-07-02 | 2011-06-29 | 山东盛世光明软件技术有限公司 | Method of identity recognition of computer internet under mode of multi-stage routers |
| CN102137416A (en) * | 2010-12-16 | 2011-07-27 | 华为软件技术有限公司 | Method and device for analyzing network equipment fault |
| CN101582880B (en) * | 2008-05-14 | 2012-06-06 | 北京启明星辰信息技术股份有限公司 | Method and system for filtering messages based on audited object |
| CN102082681B (en) * | 2009-11-26 | 2012-09-26 | ***通信集团天津有限公司 | Method and device for determining on-line behavior records of users |
| CN102932461A (en) * | 2012-11-06 | 2013-02-13 | 深信服网络科技(深圳)有限公司 | Network acceleration transmission method and device |
| CN103873467A (en) * | 2014-03-12 | 2014-06-18 | 战伟 | Method for controlling network perimeter |
| CN104836797A (en) * | 2015-04-14 | 2015-08-12 | 广东小天才科技有限公司 | Network data packet processing method and system |
| CN109617833A (en) * | 2018-12-25 | 2019-04-12 | 深圳市任子行科技开发有限公司 | The NAT Data Audit method and system of multithreading user mode network protocol stack system |
| US10425511B2 (en) | 2017-01-30 | 2019-09-24 | 128 Technology, Inc. | Method and apparatus for managing routing disruptions in a computer network |
| US10432519B2 (en) | 2017-05-26 | 2019-10-01 | 128 Technology, Inc. | Packet redirecting router |
| US10432522B2 (en) | 2015-08-24 | 2019-10-01 | 128 Technology, Inc. | Network packet flow controller with extended session management |
| US10833980B2 (en) | 2017-03-07 | 2020-11-10 | 128 Technology, Inc. | Router device using flow duplication |
| US10841206B2 (en) | 2016-05-31 | 2020-11-17 | 128 Technology, Inc. | Flow modification including shared context |
| CN112565159A (en) * | 2019-09-25 | 2021-03-26 | ***通信集团广东有限公司 | Method for plugging abnormal user equipment and electronic equipment |
| US11075836B2 (en) | 2016-05-31 | 2021-07-27 | 128 Technology, Inc. | Reverse forwarding information base enforcement |
| US11165863B1 (en) | 2017-08-04 | 2021-11-02 | 128 Technology, Inc. | Network neighborhoods for establishing communication relationships between communication interfaces in an administrative domain |
| US11652739B2 (en) | 2018-02-15 | 2023-05-16 | 128 Technology, Inc. | Service related routing method and apparatus |
| US11658902B2 (en) | 2020-04-23 | 2023-05-23 | Juniper Networks, Inc. | Session monitoring using metrics of session establishment |
Families Citing this family (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9729439B2 (en) | 2014-09-26 | 2017-08-08 | 128 Technology, Inc. | Network packet flow controller |
| US10277506B2 (en) | 2014-12-08 | 2019-04-30 | 128 Technology, Inc. | Stateful load balancing in a stateless network |
| US9736184B2 (en) | 2015-03-17 | 2017-08-15 | 128 Technology, Inc. | Apparatus and method for using certificate data to route data |
| US9729682B2 (en) | 2015-05-18 | 2017-08-08 | 128 Technology, Inc. | Network device and method for processing a session using a packet signature |
| US9871748B2 (en) | 2015-12-09 | 2018-01-16 | 128 Technology, Inc. | Router with optimized statistical functionality |
| US9985883B2 (en) | 2016-02-26 | 2018-05-29 | 128 Technology, Inc. | Name-based routing system and method |
| US10205651B2 (en) | 2016-05-13 | 2019-02-12 | 128 Technology, Inc. | Apparatus and method of selecting next hops for a session |
| US10298616B2 (en) | 2016-05-26 | 2019-05-21 | 128 Technology, Inc. | Apparatus and method of securing network communications |
| US10200264B2 (en) | 2016-05-31 | 2019-02-05 | 128 Technology, Inc. | Link status monitoring based on packet loss detection |
| US9832072B1 (en) | 2016-05-31 | 2017-11-28 | 128 Technology, Inc. | Self-configuring computer network router |
| US10091099B2 (en) | 2016-05-31 | 2018-10-02 | 128 Technology, Inc. | Session continuity in the presence of network address translation |
| US10257061B2 (en) | 2016-05-31 | 2019-04-09 | 128 Technology, Inc. | Detecting source network address translation in a communication system |
| US10009282B2 (en) | 2016-06-06 | 2018-06-26 | 128 Technology, Inc. | Self-protecting computer network router with queue resource manager |
| US9985872B2 (en) | 2016-10-03 | 2018-05-29 | 128 Technology, Inc. | Router with bilateral TCP session monitoring |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100505634C (en) * | 2003-06-23 | 2009-06-24 | 腾讯科技(深圳)有限公司 | Method of digital information for penetrating NAT/FW and the system |
| CN100341301C (en) * | 2005-05-25 | 2007-10-03 | 复旦大学 | Gateway penetration method based on UDP flow media server of NAT |
-
2007
- 2007-05-31 CN CN2007100523377A patent/CN101068242B/en not_active Expired - Fee Related
Cited By (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101582880B (en) * | 2008-05-14 | 2012-06-06 | 北京启明星辰信息技术股份有限公司 | Method and system for filtering messages based on audited object |
| CN101453420B (en) * | 2008-12-30 | 2010-12-08 | 成都市华为赛门铁克科技有限公司 | Security protection method, equipment and system for data packet |
| CN101582771B (en) * | 2009-07-02 | 2011-06-29 | 山东盛世光明软件技术有限公司 | Method of identity recognition of computer internet under mode of multi-stage routers |
| CN102082681B (en) * | 2009-11-26 | 2012-09-26 | ***通信集团天津有限公司 | Method and device for determining on-line behavior records of users |
| CN102137416A (en) * | 2010-12-16 | 2011-07-27 | 华为软件技术有限公司 | Method and device for analyzing network equipment fault |
| CN102137416B (en) * | 2010-12-16 | 2013-04-17 | 华为软件技术有限公司 | Method and device for analyzing network equipment fault |
| CN102932461A (en) * | 2012-11-06 | 2013-02-13 | 深信服网络科技(深圳)有限公司 | Network acceleration transmission method and device |
| CN102932461B (en) * | 2012-11-06 | 2016-08-03 | 深信服网络科技(深圳)有限公司 | Network acceleration transmission method and device |
| CN103873467A (en) * | 2014-03-12 | 2014-06-18 | 战伟 | Method for controlling network perimeter |
| CN104836797A (en) * | 2015-04-14 | 2015-08-12 | 广东小天才科技有限公司 | Network data packet processing method and system |
| CN104836797B (en) * | 2015-04-14 | 2019-03-08 | 广东小天才科技有限公司 | Processing method of network data packets and system |
| US10432522B2 (en) | 2015-08-24 | 2019-10-01 | 128 Technology, Inc. | Network packet flow controller with extended session management |
| US11075836B2 (en) | 2016-05-31 | 2021-07-27 | 128 Technology, Inc. | Reverse forwarding information base enforcement |
| US10841206B2 (en) | 2016-05-31 | 2020-11-17 | 128 Technology, Inc. | Flow modification including shared context |
| US11722405B2 (en) | 2016-05-31 | 2023-08-08 | 128 Technology, Inc. | Reverse forwarding information base enforcement |
| US10425511B2 (en) | 2017-01-30 | 2019-09-24 | 128 Technology, Inc. | Method and apparatus for managing routing disruptions in a computer network |
| US11496390B2 (en) | 2017-03-07 | 2022-11-08 | 128 Technology, Inc. | Router device using flow duplication |
| US10833980B2 (en) | 2017-03-07 | 2020-11-10 | 128 Technology, Inc. | Router device using flow duplication |
| US10432519B2 (en) | 2017-05-26 | 2019-10-01 | 128 Technology, Inc. | Packet redirecting router |
| US11165863B1 (en) | 2017-08-04 | 2021-11-02 | 128 Technology, Inc. | Network neighborhoods for establishing communication relationships between communication interfaces in an administrative domain |
| US11503116B1 (en) | 2017-08-04 | 2022-11-15 | 128 Technology, Inc. | Network neighborhoods for establishing communication relationships between communication interfaces in an administrative domain |
| US11652739B2 (en) | 2018-02-15 | 2023-05-16 | 128 Technology, Inc. | Service related routing method and apparatus |
| CN109617833A (en) * | 2018-12-25 | 2019-04-12 | 深圳市任子行科技开发有限公司 | The NAT Data Audit method and system of multithreading user mode network protocol stack system |
| CN109617833B (en) * | 2018-12-25 | 2021-12-31 | 深圳市任子行科技开发有限公司 | NAT data auditing method and system of multi-thread user mode network protocol stack system |
| CN112565159A (en) * | 2019-09-25 | 2021-03-26 | ***通信集团广东有限公司 | Method for plugging abnormal user equipment and electronic equipment |
| CN112565159B (en) * | 2019-09-25 | 2022-09-13 | ***通信集团广东有限公司 | Method for plugging abnormal user equipment and electronic equipment |
| US11658902B2 (en) | 2020-04-23 | 2023-05-23 | Juniper Networks, Inc. | Session monitoring using metrics of session establishment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101068242B (en) | 2010-04-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101068242B (en) | Method for obtaining internal and external network address mapping relation in safety auditing system | |
| Ring et al. | Creation of flow-based data sets for intrusion detection | |
| US7555550B2 (en) | Asset tracker for identifying user of current internet protocol addresses within an organization's communications network | |
| Glatz et al. | Classifying internet one-way traffic | |
| Bhuyan et al. | Towards Generating Real-life Datasets for Network Intrusion Detection. | |
| CN101924757B (en) | Method and system for reviewing Botnet | |
| US9043461B2 (en) | Firewall event reduction for rule use counting | |
| US20160191549A1 (en) | Rich metadata-based network security monitoring and analysis | |
| US7580822B2 (en) | Server recording and client playback of computer network characteristics | |
| Plonka et al. | Context-aware clustering of DNS query traffic | |
| US7907543B2 (en) | Apparatus and method for classifying network packet data | |
| CN100493065C (en) | Method for using immediate information software by data detection network address switching equipment | |
| Nickless et al. | Combining Cisco {NetFlow} Exports with Relational Database Technology for Usage Statistics, Intrusion Detection, and Network Forensics | |
| CN110149245A (en) | The compressed sensing based high-speed network flow method of sampling and device | |
| McHugh | Sets, bags, and rock and roll: Analyzing large data sets of network data | |
| CN114760150A (en) | Network security protection method and system based on big data | |
| Peng et al. | Design and implementation of network instruction detection system based on snort and NTOP | |
| Arjmandpanah‐Kalat et al. | Design and performance analysis of an efficient single flow IP traceback technique in the AS level | |
| Celeda et al. | Large-scale geolocation for netflow | |
| Gadelrab et al. | Manipulation of network traffic traces for security evaluation | |
| Xu et al. | Real-time behaviour profiling for network monitoring | |
| Rincón et al. | Reproducing DNS 10Gbps flooding attacks with commodity-hardware | |
| Ahmed et al. | Learning-Based Detection of Malicious Hosts by Analyzing Non-Existent DNS Responses | |
| Nie | Attack Fingerprints based on the Activity and Event Network (AEN) Model | |
| Ruohonen et al. | On the design of a simple network resolver for DNS mining |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100414 Termination date: 20130531 |